Rule Info
Name
Potential Suspicious BPF Activity - Linux
Author
Red Canary (idea), Nasreddine Bencherchali
Description
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Reference
Date
2023-01-25 00:00:00
Modified
None
Id
0fadd880-6af3-4610-b1e5-008dc3a11b8a
Tags
attack.persistence attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
Rule History
Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01